SSL security & Firefox
August 6, 2008 8:14 am GeneralFederico: Completely agree. In fact, you’re now training people to go through a whole new “ignore security” conditioning – previously it was just “Add exception” or whatever. Now it’s “Next, Next, Add exception, Get certificate, Next”.
From that presentation you link to, this statistic stood out:
SecuritySpace survey found that 58% of all SSL certificates were invalid (expired, self-signed, unknown CA, incorrect domain, etc)
The presentation also said that “most people only see the valid certs from big sites, so this problem isn’t very visible,” which is the point that MoCo makes.
I discussed this with Gerv during OSCON, and his take on it was toweing the party line:
- Your cert is expired? Fix it already
- Your cert is from a different domain? Fix it already
- You’re self-signing a cert instead of paying $10 a year for one signed by a CA? Spend the money!
- If you’re running a volunteer site, and want a self-signed cert just to encrypt usernames & passwords, your visitors represent less than 1% of the internet population, sucks to be you!
(this is a paraphrasal of my memory of the conversation).
I may be an edge case, but I seem to run into an awful lot of sites where the absolute correct thing for me to do is “Add exception Next Get certificate Next Next”. Sucks to be me, I guess.
August 6th, 2008 at 9:15 am
Actually, the security community urge firefox to add cacert.org in the trust ring for certificates.
This is the only free alternative to evils like verisign etc..
Because a signed certificate is not 10$ a year and few people can spend thousand of dollars needed for this.
August 6th, 2008 at 9:32 am
very good points dave
Firefox really screwed this one up. my internet experience is not the same.
August 6th, 2008 at 10:15 am
In order to avoid confusing our French friends with incorrect English idioms, please change “towing” to “toeing”. 🙂
August 6th, 2008 at 10:31 am
Nice catch Jeff 🙂 A slip of the tongue.
As my dad used to say: “a slip of the tongue is no slip of the mind, but if it slips too often, it gets caught behind”. Never really understood what that meant, but it sounded good 😉
August 6th, 2008 at 11:25 am
You could simply replace this entire post with “Q: I think you are dumb.”.
August 6th, 2008 at 1:10 pm
> just to encrypt usernames & passwords
I’m not too sure that a self-signed certificate gives you any security (think mitm). Or am I missing something here?
August 6th, 2008 at 1:49 pm
>> just to encrypt > usernames & passwords
I’m not too sure that a self-signed certificate gives you any security (think mitm). Or am I missing something here?
Self-signed certificates do not indicate that the DNS hasn’t been attached and you haven’t entered a phishing site. However noone can decrypt the communication. So it only guarantee that nobody read the username/password except the server I connected to.
> If you’re running a volunteer site, and want a self-signed cert just to encrypt usernames & passwords, your visitors represent less than 1% of the internet population, sucks to be you!
Why do you provide a version for Linux? We are also <1% of Internet population as well.
August 6th, 2008 at 2:05 pm
@Michael Hofmann:
Self-signed certs provide *encryption* but do not guarantee the identity of the server.
I really don’t mind the new dialog that much. If you do, I suggest using cacert.org. That will mean only having to add 1 exception globally instead of 1 per site.
The old dialog may have been faster to get through, but wow it was ugly.
August 6th, 2008 at 5:15 pm
Dave, I’m with you. I probably accept multiple “invalid” certs every single day. I’d guess many other open-source developers (remember the people who actually make Firefox?) are in the same place.
As Toady said, though, getting CAcert into Firefox should help.
August 6th, 2008 at 6:28 pm
It’s important to realize that for a vast majority of Firefox users (those in the non-tech community!) that they should never ever see a warning. Ever. If they do, they should be very worried.
However, for those of us who _are_ using self-signed certs it’s important to realize that Firefox 3’s system actually makes it easier to detect problems with those certs. If they change, you actually get a warning about it instead of just getting the same warning dialog with only slightly different text.
If you go read Johnathan’s post you will see that the tools to act as a man in the middle are getting easier and easier. We’re trying to get out ahead of those tools as best we can, attempting to make life better for users.
We won’t get everything right the first time but what we have is far better for less technical users and I would argue is better than Firefox 2 for technical users since it has a sense of certs changing and can give you a useful warning instead of just the same old dialog.
Also, in that report 58% of _what_ certs? Those that are most likely to be phished? Top 100 commerce sites? Or everything everywhere? For the commercial sites that I visit (a couple of banks, other secure commerce sites) I have never ever seen a bad cert. About the only time I see the cert warning dialog is when I am accessing one of these new-fangled free software site thingies. 🙂
We talked about CACert a little bit at the summit and there’s a bug on file. CACert needs to go through the same process as every other CA that we include in our root certs. I’ve seen one assertion in another blog that says “it’s because of Mozilla’s policy” and that’s true on fact, but not in spirit. CACert needs to meet a basic set of criteria to be included in our root set and it’s non-trivial for a reason.
Anyway, just a bunch of thoughts on the topic. Feel free to follow up on my blog if you want.
August 12th, 2008 at 3:21 pm
[…] scheme is broken as designed. And Dave Neary hits the nail when he points right at the consequences: previously it was just “Add exception” or whatever. Now it’s “Next, Next, Add exception, […]
August 12th, 2008 at 3:25 pm
@Christopher Blizzard: I am worried. Firefox prevented me from accessing Yahoo.
I don’t mind the warning. I do mind the half a dozen of clicks to dismiss what could be said and done in one or two.